Re: Shortage of Cyber Security Professionals ... - Page 2

rslade · ‎05-21-2019

Best bet for commodity futures? Buy security professionals. Apparently there is a world wide shortage.

Yeah, right. As I have noted elsewhere, and frequently, there's been a shortage my whole career. I ain't rich yet. There's a bit of a disconnect.

OK, so first off, recently, there was Trump's "executive order," which, as I noted, is mostly about getting staff for (relatively low paying) government jobs, and probably isn't going to change much of anything.

Now, in Canada, another group has been formed "to craft a plan for cyber security education and workforce development." Yeah, good luck with that.

Returning to the US, the Marines are asking for civilian volunteers to make up a new computer task force cyber security unit. According the the General responsible, "If anybody wants to join, you can sign up." (Sounds a bit desperate, if you ask me ...)

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Caute_cautim · ‎05-21-2019

@CISOScottGrab yourself a copy of the book or Kindle, and keep it on the bookshelf.

Regards

Caute_cautim

Steve-Wilme · ‎05-22-2019

Back when I was a Software Engineer, there was a shortage of those, but that didn't translate into high salary or job security or lots of opportunities due to the scarity. So the fields may simply not have been as attractive as working in Finance, Law or Medicine. It was seen as poor relation to more established fields in terms of pay and status. I suspect InfoSec has a similar image problem.

Back in 2013 at the ISC2 meeting at Warwick University there was a show of hand for women in InfoSec, people under 30, under 40, under 50 and so on. The majority of the audience/membership were white, males in their 40s and 50s. So there is a lack of diversity and aging profession, which is in itself a problem.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Steve-Wilme · ‎05-22-2019

There is often no clear understanding of the different roles and skill sets in InfoSec, so many organisations simply ask for almost everything for every role. It's not too uncommon to find policies, standards development, SETA, compliance, PCI, security architecture, security audits, administering security tooling, forensics, pen testing and incident response all in the same job ad. Whilst experiences in InfoSec can be diverse, very few people have years of experience every single aspect of InfoSec. So perfectly capable candidates get rejected, rather than consider candidates who are a 70% fit, and it limits mobility in the labour market, so even if in InfoSec already staff get stuck in roles and not developed.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

j_M007 · ‎05-22-2019

So many fowl problems occur when we bury our head in the sand!

https://www.cbc.ca/news/canada/british-columbia/peacock-nuisance-animals-beauty-beast-1.4649532

emb021 · ‎05-22-2019

@Steve-Wilme wrote:
There is often no clear understanding of the different roles and skill sets in InfoSec, so many organisations simply ask for almost everything for every role. It's not too uncommon to find policies, standards development, SETA, compliance, PCI, security architecture, security audits, administering security tooling, forensics, pen testing and incident response all in the same job ad. Whilst experiences in InfoSec can be diverse, very few people have years of experience every single aspect of InfoSec. So perfectly capable candidates get rejected, rather than consider candidates who are a 70% fit, and it limits mobility in the labour market, so even if in InfoSec already staff get stuck in roles and not developed.

Hence why you have work with the NICE framework to establish more clearly job roles/duties. Otherwise we get the nonsense of companies saying they want an "Information Security Officer" when what they really want is an Analyst or Engineer (yeah, seen that...).

I had heard something recently that in IT (and to extension infosec) that often times people have more and more dumped on their plate, sometimes stuff that maybe they shouldn't be responsible for.

And then those people quit, and their company is left scrambling to fill that role.

So I have to wonder if some of these ridiculous job descriptions are due to this? They are trying to fill a role that had a lot of stuff dumped on them, and they think they can find someone with the same skills/experience to fill the role. Sadly, of course, they quest for someone to "hit the ground running" and do all those things makes that a losing proposition.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

Steve-Wilme · ‎05-22-2019

Yes quite possibly; it's often sink or swim. The dumped on employee is seen as more capable and 'passionate', so gets more and more given to them over time. If you want something doing give it to someone who's already very busy. And you know where this can lead; to burn out and unexpected resignations. Only then is it realised that there was a 'key man' dependency and the organisation looks for someone else to take on the lot, usually without sufficient budget and without authority within the organisation.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

rslade · ‎05-22-2019

> j_M007 (Community Champion) posted a new reply in Industry News on 05-22-2019

> So many fowl problems occur when we bury our head in the sand!

I think you're thnking of ostriches, not peacocks.

But, yes, you're right. Peacocks can be a nuisance, but only if not controlled
properly. They seem to be able to thrive just about anywhere and always seem to
get into trouble (at Royal Roads they killed off a set of pollarded trees that had
been around for decades), but it's hard to call them an invasive species because
they *can* be controlled if only you take the proper action.

A good example of a risk management problem ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Of all things, good sense is the most fairly distributed:
everyone thinks he is so well supplied with it that even those
who are the hardest to satisfy in every other respect never
desire more of it than they already have.
- Rene Descartes (1596-1650), Discours de la Methode (1637)
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

j_M007 · ‎05-22-2019

I'm glad you caught the mixed meta force my fine feathered friend. An eagle-eyed kiwi found tracks of a many-splendored bird of another feather. I reckon the mega bird would have made a mega mess. Not unlike some of the turkeys we have seen hereabouts.

https://www.vice.com/en_us/article/zmpm7y/new-zealand-man-goes-swimming-finds-footprints-of-extinct-...

Caute_cautim · ‎05-22-2019

@j_M007Yes indeed - the Wellington Museum was not amused, as University of Otago, followed it up and they missed out on the find. Indeed, mixed metaphors - lets hope we do not end up extinct like the "Moa".

https://en.wikipedia.org/wiki/Moa, Unfortunately the colonists f(Polynesians) found them tasty and caused their demise very quickly in 1280 on wards.

Regards

Caute_cautim

j_M007 · ‎05-22-2019

From birds to songbirds .... Moa moa moa, how do you like it?

https://www.youtube.com/watch?v=RlJGrIyt-X8